Evasive Gootkit Banking Trojan | IOCs
Logo
Try VMRay Analyzer
VTI SCORE: 100/100
Dynamic Analysis Report
Classification: Backdoor, Dropper, Spyware, Downloader

6ded37a61962a6a6626bd47adb66f5f73742d8d2125cdff1dc3f932d0a8e5d2e (SHA256)

gootkit_vbs-6ded37a6.vir.vbs

VBScript

Created at 2018-12-13 14:00:00

...

Notifications (2/2)

Code overwrite was observed during this analysis. Note that the analysis results may be affected by this modification by the sample.

The overall sleep time of all monitored processes was truncated from "29 minutes, 45 seconds" to "1 minute, 40 seconds" to reveal dormant functionality.

Indicators

File (274)
»
Filename Hash Operations Source
CONOUT$ - Access
C:\ - Access
C:\Program Files\WindowsPowerShell\Modules - Access
C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Management - Access
C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Management\Microsoft.PowerShell.Commands.Management.dll - Access
C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility - Access
C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll - Access
C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Security - Access
C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.dll - Access
C:\Program Files\WindowsPowerShell\Modules\PackageManagement - Access
C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1 - Access
C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.cdxml - Access
C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.dll - Access
C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.psd1 - Access
C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.psm1 - Access
C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\1.0.0.1.xaml - Access
C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1 - Access, Read
C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.cdxml - Access
C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.dll - Access
C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psd1 - Access
C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.psm1 - Access
C:\Program Files\WindowsPowerShell\Modules\PackageManagement\PackageManagement.xaml - Access
C:\Program Files\WindowsPowerShell\Modules\Pester - Access
C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5 - Access
C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.cdxml - Access
C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.dll - Access
C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.psd1 - Access
C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.psm1 - Access
C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\3.3.5.xaml - Access
C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psd1 - Access, Read
C:\Program Files\WindowsPowerShell\Modules\Pester\3.3.5\Pester.psm1 - Access
C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.cdxml - Access
C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.dll - Access
C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.psd1 - Access
C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.psm1 - Access
C:\Program Files\WindowsPowerShell\Modules\Pester\Pester.xaml - Access
C:\Program Files\WindowsPowerShell\Modules\PowerShellGet - Access
C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1 - Access
C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.cdxml - Access
C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.dll - Access
C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.psd1 - Access
C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.psm1 - Access
C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\1.0.0.1.xaml - Access
C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1 - Access, Read
C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1 - Access
C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.cdxml - Access
C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.dll - Access
C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psd1 - Access
C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.psm1 - Access
C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\PowerShellGet.xaml - Access
C:\Program Files\WindowsPowerShell\Modules\PSReadline - Access
C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1 - Access
C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.cdxml - Access
C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.dll - Access
C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.psd1 - Access
C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.psm1 - Access
C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\1.1.xaml - Access
C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en - Access
C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.cdxml - Access
C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.dll - Access
C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.psd1 - Access
C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.psm1 - Access
C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\en\en.xaml - Access
C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadline.psd1 - Access, Read
C:\Program Files\WindowsPowerShell\Modules\PSReadline\1.1\PSReadLine.psm1 - Access
C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.cdxml - Access
C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.dll - Access
C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.psd1 - Access
C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.psm1 - Access
C:\Program Files\WindowsPowerShell\Modules\PSReadline\PSReadline.xaml - Access
C:\ProgramData\Oracle\Java\javapath - Access
\\?\C:\ProgramData\{d781e3a1-e512-422f-aa6c-27428437cbc4}.lock - Access
C:\Users - Access
C:\Users\All Users\AppData\Local\Temp\uqjckeguhl.tmp - Access
C:\Users\All Users\Local Settings\Temp\uqjckeguhl.tmp - Access
C:\Users\Default User\AppData\Local\Temp\uqjckeguhl.tmp - Access
C:\Users\Default User\Local Settings\Temp\uqjckeguhl.tmp - Access
C:\Users\Default\AppData\Local\Temp\uqjckeguhl.tmp - Access
C:\Users\Default\Local Settings\Temp\uqjckeguhl.tmp - Access
C:\Users\Nd9E1FYi - Access
C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\ - Access
C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_0ac90668-b7fb-46d6-80e6-01a947284e18 MD5: 9832b59b183bb6318e62f1385d345c6d
SHA1: 54b856a180fb3723403f9aad24ca548de63dc376
SHA256: bfd60204585f1603ee9faac7c44adb9fcd6fa56b7748f03ecb1a9beaa7c56ea1
SSDeep: 24:WM83yV+ty+qXlIZXxf/DXdQXPZX3X6S+Z+Wz+q:BSy8PilIhNTWPhn6lgDq
ImpHash: None 		Access, Write Modified File
C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_41c67784-5a05-4d3a-a346-47e4d3e9d32f MD5: c9fa9488f8854802c6f5eff3234d8a8a
SHA1: 8b9029e83008d74b8c5414a2ef064629a340c9ae
SHA256: 12bd362291f72f2c2e7756742b7377549d13d5bf231455d23ef250c5bdf18121
SSDeep: 24:WM83yV+ty+ZcnPZcMGcZcFc7Vc4vcEvcXc6c4ncSZncJ5S+Z+Wz+q:BSy8PiPiMLim64EEEM34cYcJ5lgDq
ImpHash: None 		Access, Read, Write Modified File
C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_46610b03-43d8-466e-ac05-954274c00100 - Access
C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_96fb2ebe-5768-403c-8fbc-1b0ef0323733 MD5: 8845f276e426accd51223008b6aed4bf
SHA1: c9fa81aa57e7c32c4bcefd33788967cc3170fe91
SHA256: 72831bc6962c8017ea71abc038a8f60e79976ebaf05d363c80f32c975a55d0d9
SSDeep: 192:8wUOJGqwAf5CBbXuQuxs0B8HX64MnENxUyrTEAsr9jQ0uwm/CgGZYySo0nbSRNNo:8wUOJGqwARCBbXxss0B8364MnENxUyr3
ImpHash: None 		Access, Read, Write Modified File
C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheEntry_b546bd1f-3b03-41b0-bebc-d44f0a030d28 - Access, Read
C:\Users\Nd9E1FYi\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex MD5: 40e29531e81493d6e680e38c3ace3714
SHA1: ee078721826355eae9ef0e96d476edf307d54046
SHA256: 57b17ab692375358c25c34caf15c1f0b4705a67ea5bedbd852fdec393a40eac0
SSDeep: 384:yEsbArBxxb7k02/0pdIGs+VW6lIZFi7xal0Rxfk2/i4JB9tG+sQRwuA01Jn6ioKA:5F03+oYG
ImpHash: None 		Access, Read, Write Modified File
C:\Users\Nd9E1FYi\AppData\Local\Temp\ - Access
C:\Users\Nd9E1FYi\AppData\Local\Temp\bwaykzvy.uyx.ps1 MD5: c4ca4238a0b923820dcc509a6f75849b
SHA1: 356a192b7913b04c54574d18c28d46e6395428ab
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SSDeep: 3:U:U
ImpHash: None 		Access, Write Created File
\\?\C:\Users\Nd9E1FYi\AppData\Local\Temp\dynwrapx.dll - Access
\\?\C:\Users\Nd9E1FYi\AppData\Local\Temp\dynwrapx.sxs.manifest - Access
\\?\C:\Users\Nd9E1FYi\AppData\Local\Temp\fatal-log.txt - Access
C:\Users\Nd9E1FYi\AppData\Local\Temp\iiqbe4ps.w2t.psm1 MD5: c4ca4238a0b923820dcc509a6f75849b
SHA1: 356a192b7913b04c54574d18c28d46e6395428ab
SHA256: 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SSDeep: 3:U:U
ImpHash: None 		Access, Write Created File
\\?\C:\Users\Nd9E1FYi\AppData\Local\Temp\mshta.exe - Access
\\?\C:\Users\Nd9E1FYi\AppData\Local\Temp\mshta.exe.manifest - Access
C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.exe MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep: 3::
ImpHash: None 		Access, Read Created File
C:\Users\Nd9E1FYi\AppData\Local\Temp\SMSvcHost32.inf MD5: d63332b5a8254668fbae1255b085775d
SHA1: 4e82e31ad4e2eff91feec5f3827ed31168da3ca4
SHA256: 66db29d5f893e6629dacd2a8097643fac25e67f707399b0b72e41506c164886b
SSDeep: 6:AkAh+BIHgVooT4WY/fWgJDIQlLJobNDHHAIQlLJobNDjPhn23fobAd9:Q+BIASL/fXJobRneJobRj0o49
ImpHash: None 		Access, Write Created File
C:\Users\Nd9E1FYi\AppData\Local\Temp\tmp8C77.tmp MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SSDeep: 3::
ImpHash: None 		Access, Write Created File
\\?\C:\Users\Nd9E1FYi\AppData\Local\Temp\uncaught-log.txt - Access
C:\Users\Nd9E1FYi\AppData\Local\Temp\uqjckeguhl.tmp - Access
C:\Users\Nd9E1FYi\Desktop - Access
C:\Users\Nd9E1FYi\Desktop\gootkit_vbs-6ded37a6.vir.vbs MD5: e5031e1adceac15c5db78da6f4303905
SHA1: 53c7e365d8f55e0b3cf5e958e3b5da05b456a61b
SHA256: 6ded37a61962a6a6626bd47adb66f5f73742d8d2125cdff1dc3f932d0a8e5d2e
SSDeep: 3072:Dg+cIZ071HOQBVJ7nxCtGcH8C3fVJ9YTT4pIAFxoftxqKudFAV8cw7OJO4:DgVN1HOQjJ7xCtGcH8OP98T4pZxirju+
ImpHash: None 		Access Sample File
C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1 - Access
C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\Modules - Access
C:\Users\Nd9E1FYi\Documents\WindowsPowerShell\profile.ps1 - Access
C:\Users\Nd9E1FYi\Local Settings\Temp\uqjckeguhl.tmp - Access
C:\Users\Public\AppData\Local\Temp\uqjckeguhl.tmp - Access
C:\Users\Public\Local Settings\Temp\uqjckeguhl.tmp - Access
C:\Windows - Access
C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll - Access
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config - Access, Read
C:\Windows\system32 - Access
C:\Windows\system32\cmd.exe - Access
C:\Windows\SYSTEM32\ntdll.dll - Access, Read
C:\Windows\System32\Wbem - Access
C:\Windows\System32\WindowsPowerShell\v1.0\ - Access
C:\Windows\System32\WindowsPowerShell\v1.0\Certificate.format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\DotNetTypes.format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\FileSystem.format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\Help.format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\HelpV3.format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\Microsoft.PowerShell_profile.ps1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules - Access
c:\windows\system32\windowspowershell\v1.0\Modules\AppBackgroundTask - Access
c:\windows\system32\windowspowershell\v1.0\Modules\AppBackgroundTask\AppBackgroundTask.psd1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\AppLocker - Access
c:\windows\system32\windowspowershell\v1.0\Modules\AppLocker\AppLocker.psd1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Appx - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Appx\Appx.psd1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\AssignedAccess - Access
c:\windows\system32\windowspowershell\v1.0\Modules\AssignedAccess\AssignedAccess.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\AssignedAccess\AssignedAccess.psm1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\BitLocker - Access
c:\windows\system32\windowspowershell\v1.0\Modules\BitLocker\BitLocker.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psm1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\BitsTransfer - Access
c:\windows\system32\windowspowershell\v1.0\Modules\BitsTransfer\BitsTransfer.psd1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\BranchCache - Access
c:\windows\system32\windowspowershell\v1.0\Modules\BranchCache\BranchCache.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\CimCmdlets\CimCmdlets.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Defender\Defender.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\DirectAccessClientComponents\DirectAccessClientComponents.psd1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Dism - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Dism\Dism.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Dism\Dism.psm1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\DnsClient - Access
c:\windows\system32\windowspowershell\v1.0\Modules\DnsClient\DnsClient.psd1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\EventTracingManagement - Access
c:\windows\system32\windowspowershell\v1.0\Modules\EventTracingManagement\EventTracingManagement.psd1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\International - Access
c:\windows\system32\windowspowershell\v1.0\Modules\International\International.psd1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\iSCSI - Access
c:\windows\system32\windowspowershell\v1.0\Modules\iSCSI\iSCSI.psd1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\ISE - Access
c:\windows\system32\windowspowershell\v1.0\Modules\ISE\ISE.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ISE\ISE.psm1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Kds - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Kds\Kds.psd1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.cdxml - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.dll - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.psd1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.psm1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\en-US\en-US.xaml - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Archive\Microsoft.PowerShell.Archive.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Management - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Management\Microsoft.PowerShell.Commands.Management.dll - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Commands.Utility\Microsoft.PowerShell.Commands.Utility.dll - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Diagnostics - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Diagnostics\Microsoft.PowerShell.Diagnostics.psd1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Host - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Host\Microsoft.PowerShell.Host.psd1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\en-US\Microsoft.PowerShell.Management.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\en\Microsoft.PowerShell.Management.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Commands.Management.dll\Microsoft.PowerShell.Commands.Management.dll - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.Management\Microsoft.PowerShell.Management.psd1 - Access, Read
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Management\PSGetModuleInfo.xml - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.cdxml - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.dll - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.psd1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.psm1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\en-US\en-US.xaml - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtils.psm1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.ODataUtils\Microsoft.PowerShell.ODataUtilsHelper.ps1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.dll - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\Microsoft.PowerShell.Security.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Security\PSGetModuleInfo.xml - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\en-US\Microsoft.PowerShell.Utility.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\en\Microsoft.PowerShell.Utility.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Commands.Utility.dll\Microsoft.PowerShell.Commands.Utility.dll - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1 - Access, Read
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1 - Access, Read
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\PSGetModuleInfo.xml - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.WSMan.Management - Access
c:\windows\system32\windowspowershell\v1.0\Modules\Microsoft.WSMan.Management\Microsoft.WSMan.Management.psd1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\MMAgent - Access
c:\windows\system32\windowspowershell\v1.0\Modules\MMAgent\MMAgent.psd1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\MsDtc - Access
c:\windows\system32\windowspowershell\v1.0\Modules\MsDtc\MsDtc.psd1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\NetAdapter - Access
c:\windows\system32\windowspowershell\v1.0\Modules\NetAdapter\NetAdapter.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetConnection - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetConnection\NetConnection.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetEventPacketCapture\NetEventPacketCapture.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetLbfo - Access
c:\windows\system32\windowspowershell\v1.0\Modules\NetLbfo\NetLbfo.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetNat - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetNat\NetNat.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetQos - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetQos\NetQos.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSecurity - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSecurity\NetSecurity.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSwitchTeam - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetSwitchTeam\NetSwitchTeam.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetTCPIP - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetTCPIP\NetTCPIP.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkConnectivityStatus\NetworkConnectivityStatus.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkSwitchManager - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkSwitchManager\NetworkSwitchManager.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkTransition - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\NetworkTransition\NetworkTransition.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PcsvDevice - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PcsvDevice\PcsvDevice.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PKI\PKI.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PnpDevice\PnpDevice.psd1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\PrintManagement - Access
c:\windows\system32\windowspowershell\v1.0\Modules\PrintManagement\PrintManagement.psd1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\PSDesiredStateConfiguration - Access
c:\windows\system32\windowspowershell\v1.0\Modules\PSDesiredStateConfiguration\PSDesiredStateConfiguration.psd1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\PSDiagnostics - Access
c:\windows\system32\windowspowershell\v1.0\Modules\PSDiagnostics\PSDiagnostics.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\PSDiagnostics\PSDiagnostics.psm1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\PSScheduledJob - Access
c:\windows\system32\windowspowershell\v1.0\Modules\PSScheduledJob\PSScheduledJob.psd1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\PSWorkflow - Access
c:\windows\system32\windowspowershell\v1.0\Modules\PSWorkflow\PSWorkflow.psd1 - Access
c:\windows\system32\windowspowershell\v1.0\Modules\PSWorkflowUtility - Access
c:\windows\system32\windowspowershell\v1.0\Modules\PSWorkflowUtility\PSWorkflowUtility.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\ScheduledTasks\ScheduledTasks.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SecureBoot\SecureBoot.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbShare\SmbShare.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\SmbWitness\SmbWitness.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\StartLayout\StartLayout.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Storage\Storage.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\TLS\TLS.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\TroubleshootingPack\TroubleshootingPack.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\TrustedPlatformModule\TrustedPlatformModule.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\VpnClient\VpnClient.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Wdac\Wdac.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsDeveloperLicense\WindowsDeveloperLicense.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\WindowsErrorReporting.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsErrorReporting\WindowsErrorReporting.psm1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsSearch\WindowsSearch.psd1 - Access
C:\Windows\system32\WindowsPowerShell\v1.0\Modules\WindowsUpdate\WindowsUpdate.psd1 - Access
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe - Access
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe.config - Access
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellCore.format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\PowerShellTrace.format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\profile.ps1 - Access
C:\Windows\System32\WindowsPowerShell\v1.0\Registry.format.ps1xml - Access, Read
C:\Windows\System32\WindowsPowerShell\v1.0\types.ps1xml - Access
C:\Windows\System32\WindowsPowerShell\v1.0\typesv3.ps1xml - Access
C:\Windows\system32\wldp.dll - Access
Registry (186)
»
Registry Key Name Operations
HKEY_CLASSES_ROOT\.vbs Access, Read
HKEY_CLASSES_ROOT\VBSFile\ScriptEngine Access, Read
HKEY_CURRENT_USER Access
HKEY_CURRENT_USER\Environment Access
HKEY_CURRENT_USER\Environment\PSMODULEPATH Read
HKEY_CURRENT_USER\SOFTWARE\Microsoft Access
HKEY_CURRENT_USER\SOFTWARE\Microsoft\.NETFramework\XML Access
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings Access
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL Read
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable Read
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer Read
HKEY_CURRENT_USER\SOFTWARE\Microsoft\{102f49a9-80c9-42ee-8924-3256738fc621} Read, Write
HKEY_CURRENT_USER\SOFTWARE\Microsoft\{2dc03b67-bbe0-46f6-a506-c0799ccb1f6b} Read, Write
HKEY_CURRENT_USER\SOFTWARE\Microsoft\{7ade5bfc-66f6-4220-aa24-6032bdb90317} Read, Write
HKEY_CURRENT_USER\SOFTWARE\Microsoft\{ec58180b-dfce-4a67-b18b-e6d83b3e979b} Write
HKEY_CURRENT_USER\Software\AppDataLow Access
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_0 Read, Write, Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_1 Read, Write, Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_10 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_11 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_12 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_13 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_14 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_15 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_16 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_17 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_18 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_19 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_2 Read, Write, Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_20 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_21 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_22 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_23 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_24 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_25 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_26 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_27 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_28 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_29 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_3 Read, Write, Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_30 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_31 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_32 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_33 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_34 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_35 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_36 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_37 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_38 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_39 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_4 Read, Write, Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_40 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_41 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_42 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_43 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_44 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_45 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_46 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_47 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_48 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_49 Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_5 Read, Write, Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_6 Read, Write, Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_7 Read, Write, Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_8 Read, Delete
HKEY_CURRENT_USER\Software\AppDataLow\gpscsdch_9 Delete
HKEY_CURRENT_USER\Software\Microsoft\Command Processor Access
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DefaultColor Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DisableUNCCheck Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions Read
HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar Read
HKEY_CURRENT_USER\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs Access
HKEY_CURRENT_USER\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs\Count Write
HKEY_CURRENT_USER\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs\Path1 Write
HKEY_CURRENT_USER\Software\Microsoft\IEAK\GroupPolicy\PendingGPOs\Section1 Write
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings Access
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\DisplayLogo Read
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Enabled Read
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses Read
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\Timeout Read
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\TrustPolicy Read
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings\UseWINSAFER Read
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings Access
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL Read
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoDetect Read
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable Read
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyOverride Read
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer Read
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\ Access
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\\2500 Write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\ Access
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\\2500 Write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\ Access
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\\2500 Write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\ Access
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\\2500 Write
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\ Access
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\\2500 Write
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging Access
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging Access
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\PowerShell\Transcription Access
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System Access
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System Access
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Access
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Read
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Read
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 Access
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString Read
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz Read
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 Access
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2\ProcessorNameString Read
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2\~MHz Read
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3 Access
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3\ProcessorNameString Read
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3\~MHz Read
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Read
HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Read
HKEY_LOCAL_MACHINE\Hardware\DESCRIPTION\System\CentralProcessor\0 Access
HKEY_LOCAL_MACHINE\Hardware\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\AppContext Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\XML Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\PipelineMaxStackSizeMB Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\DigitalProductId Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\Dynamic DST Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Display Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Dlt Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\MUI_Std Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\W. Europe Standard Time\TZI Read
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion Access
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SystemBiosVersion Read
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\IDE Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\SCSI Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\HardwareEvents\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Internet Explorer\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Key Management Service\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\OAlerts\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Windows PowerShell\PowerShell Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DefaultTTL Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor Access
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DefaultColor Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DisableUNCCheck Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar Read
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine Access
HKEY_LOCAL_MACHINE\Software\Microsoft\PowerShell\3\PowerShellEngine\ApplicationBase Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings Access
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\DisplayLogo Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Enabled Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\IgnoreUserSettings Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\LogSecuritySuccesses Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\Timeout Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\TrustPolicy Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings\UseWINSAFER Read
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN Access
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\WSMAN\ServiceStackVersion Read
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging Access
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging Access
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\Transcription Access
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Winevt\Publishers\{5037b0a0-3a31-5cd2-ff19-103e9f160a74} Access
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment Access
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\PSMODULEPATH Read
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environment\__PSLockdownPolicy Read
HKEY_PERFORMANCE_DATA Access
HKEY_PERFORMANCE_DATA\2 Read
Mutex (2)
»
Mutex Name Operations
Global\PowerShell_CommandAnalysis_Lock_S-1-5-21-2172869166-1497266965-2109836178-1000 Access, Delete
ServiceEntryPointThread Access
Domain (9)
»
Domain Sources
amd.martatovaglieri.it Function Log
drk.fm604.com Function Log
xmpp.dolcesognar.it Function Log
localhost Function Log
0 Function Log
::1 Function Log
spop.lestanzedifederica.com Function Log
arb.palaser.eu Function Log
gttopr.space Function Log
URL (9)
»
URL Operations Sources
http://amd.martatovaglieri.it/upll?26201 GET Function Log
HTTP://drk.fm604.com/rbody320 GET Function Log
HTTP://drk.fm604.com/rbody32 GET Function Log
HTTP://drk.fm604.com/rpersist4/2091998236 GET Function Log
HTTP://xmpp.dolcesognar.it/rbody320 GET Function Log
HTTP://xmpp.dolcesognar.it/rpersist4/1197631235 GET Function Log
HTTP://spop.lestanzedifederica.com/rpersist4/1197631235 GET Function Log
HTTP://arb.palaser.eu/rpersist4/1197631235 GET Function Log
HTTP://gttopr.space/rpersist4/1197631235 GET Function Log
IP (4)
»
IP Protocols Sources
176.10.125.81 HTTP, TCP Function Log
109.230.199.169 HTTPS, TCP Function Log
109.230.199.30 HTTPS, TCP Function Log
198.251.83.27 HTTPS, TCP Function Log
Export IOCs
Function Logfile
Download-Icon
Exit-Icon

This feature requires an online-connection to the VMRay backend.

An offline version with limited functionality is also provided.
The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy". 


    

   

   

    Before
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    After
   

   

    

     

      
       This feature requires an online-connection to the VMRay backend.
      
      

      

      An offline version with limited functionality is also provided.
      

      The offline version is supported only in Mozilla Firefoxwith deactivated setting "security.fileuri.strict_origin_policy".
     

     

    

   

   

    

     
      

       
       
       
       
      

     
     
     
    

   

  

  

   

    
    

     Screenshot
    

    

     Expand-Icon
    

    

     Exit-Icon
    

   

   

    

     icon_left
    

    

     icon_left
    

   

   

   

   

    image